Password Credentials Flow (when previous flow can’t be used or during development).

Client Credentials Flow (the client can request an access token using only its client credentials)

Authorization Code Flow

The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for
confidential clients. As a redirection-based flow, the client must be capable of interacting with the resource
owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the
authorization server.

Password Credentials Flow

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust
relationship with the client, such as the device operating system or a highly privileged application. The
authorization server should take special care when enabling this grant type, and only allow it when other flows are
not viable.

The grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password,
typically using an interactive form). It is also used to migrate existing clients using direct authentication
schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

Client Credentials Flow

The client can request an access token using only its client credentials (or other supported means of authentication)
when the client is requesting access to the protected resources under its control, or those of another resource owner
that have been previously arranged with the authorization server (the method of which is beyond the scope of this
specification).

The client credentials grant type MUST only be used by confidential clients.

Extensions

The provider supports RFC7523 an extension to allow server to server authorization based on JWT.

Getting Started

An example on how to use this provider and authenticate with GitHub can be implemented as:

var oauth2 = OAuth2Auth.create(vertx, OAuth2FlowType.AUTH_CODE, OAuth2ClientOptions(
clientID = "YOUR_CLIENT_ID",
clientSecret = "YOUR_CLIENT_SECRET",
site = "https://github.com/login",
tokenPath = "/oauth/access_token",
authorizationPath = "/oauth/authorize"))
// when there is a need to access a protected resource or call a protected method,
// call the authZ url for a challenge
var authorization_uri = oauth2.authorizeURL(json {
obj(
"redirect_uri" to "http://localhost:8080/callback",
"scope" to "notifications",
"state" to "3(#0/!~"
)
})
// when working with web application use the above string as a redirect url
// in this case GitHub will call you back in the callback uri one should now complete the handshake as:
var code = "xxxxxxxxxxxxxxxxxxxxxxxx"
oauth2.getToken(json {
obj(
"code" to code,
"redirect_uri" to "http://localhost:8080/callback"
)
}, { res ->
if (res.failed()) {
// error, the code provided is not valid
} else {
// save the token and continue...
}
})

Authorization Code flow

The Authorization Code flow is made up from two parts. At first your application asks to the user the permission to
access their data. If the user approves the OAuth2 server sends to the client an authorization code. In the second
part, the client POST the authorization code along with its client secret to the authority server in order to get the
access token.

Password Credentials Flow

This flow is suitable when the resource owner has a trust relationship with the client, such as its computer
operating system or a highly privileged application. Use this flow only when other flows are not viable or when you
need a fast way to test your application.

JBoss Keycloak

When using this Keycloak the provider has knowledge on how to parse access tokens and extract grants from inside.
This information is quite valuable since it allows to do authorization at the API level, for example:

We also provide a helper class for Keycloak so that we can we can easily retrieve decoded token and some necessary
data (e.g. preferred_username) from the Keycloak principal. For example:

// you can get the decoded `id_token` from the Keycloak principal
var idToken = KeycloakHelper.idToken(principal)
// you can also retrieve some properties directly from the Keycloak principal
// e.g. `preferred_username`
var username = KeycloakHelper.preferredUsername(principal)

Google Server to Server

The provider also supports Server to Server or the RFC7523 extension. This is a feature present on Google with their
service account.

Token Introspection

Tokens can be introspected in order to assert that they are still valid. Although there is RFC7660 for this purpose
not many providers implement it. Instead there are variations also known as TokenInfo end points. The OAuth2
provider will accept both end points as a configuration. Currently we are known to work with Google and Keycloak.

Token introspection assumes that tokens are opaque, so they need to be validated on the provider server. Every time a
token is validated it requires a round trip to the provider. Introspection can be performed at the OAuth2 level or at
the User level:

Verifying JWT tokens

We’ve just covered how to introspect a token however when dealing with JWT tokens one can reduce the amount of trips
to the provider server thus enhancing your overall response times. In this case tokens will be verified using the
JWT protocol at your application side only. Verifying JWT tokens is cheaper and offers better performance, however
due to the stateless nature of JWTs it is not possible to know if a user is logged out and a token is invalid. For
this specific case one needs to use the token introspection if the provider supports it.

Until now we covered mostly authentication, although the implementation is relay party (that means that the real
authentication happens somewhere else), there is more you can do with the handler. For example you can also do
authorization if the provider is known to support JSON web tokens. This is a common feature if your provider is a
OpenId Connect provider or if the provider does support `access_token`s as JWTs.

Such provider is Keycloak that is a OpenId Connect implementation. In that case you will be able to perform
authorization in a very easy way.

Authorization with JWT tokens

Given that Keycloak does provide JWT `access_token`s one can authorize at two distinct levels:

role

authority

To distinct the two, the auth provider follows the same recommendations from the base user class, i.e.: use the`:` as
a separator for the two. It should be noted that both role and authorities do not need to be together, in the most
simple case an authority is enough.

In order to map to keycloak’s token format the following checks are performed:

If no role is provided, it is assumed to the the provider realm name

If the role is realm then the lookup happens in realm_access list

If a role is provided then the lookup happends in the resource_access list under the role name

Check for a specific authorities

Here is one example how you can perform authorization after the user has been loaded from the oauth2 handshake, for
example you want to see if the user can print in the current application:

user.isAuthorised("print", { res ->
// in this case it is assumed that the role is the current application
if (res.succeeded() && res.result()) {
// Yes the user can print
}
})

However this is quite specific, you might want to verify if the user can add-user to the whole system (the realm):

user.isAuthorised("realm:add-user", { res ->
// the role is "realm"
// the authority is "add-user"
if (res.succeeded() && res.result()) {
// Yes the user can add users to the application
}
})

Or if the user can access the year-report in the finance department:

user.isAuthorised("finance:year-report", { res ->
// the role is "finance"
// the authority is "year-report"
if (res.succeeded() && res.result()) {
// Yes the user can access the year report from the finance department
}
})

Token Management

Check if it is expired

Tokens are usually fetched from the server and cached, in this case when used later they might have already expired
and be invalid, you can verify if the token is still valid like this:

This call is totally offline, it could still happen that the Oauth2 server invalidated your token but you get a non
expired token result. The reason behind this is that the expiration is checked against the token expiration dates,
not before date and such values.

Refresh token

There are times you know the token is about to expire and would like to avoid to redirect the user again to the login
screen. In this case you can refresh the token. To refresh a token you need to have already a user and call:

user.refresh({ res ->
if (res.succeeded()) {
// the refresh call succeeded
} else {
// the token was not refreshed, a best practise would be
// to forcefully logout the user since this could be a
// symptom that you're logged out by the server and this
// token is not valid anymore.
}
})

Revoke token

Since tokens can be shared across various applications you might want to disallow the usage of the current token by
any application. In order to do this one needs to revoke the token against the Oauth2 server:

user.revoke("access_token", { res ->
if (res.succeeded()) {
// the refresh call succeeded
} else {
// the token was not refreshed, a best practise would be
// to forcefully logout the user since this could be a
// symptom that you're logged out by the server and this
// token is not valid anymore.
}
})

It is important to note that this call requires a token type. The reason is because some providers will return more
than one token e.g.:

id_token

refresh_token

access_token

So one needs to know what token to invalidate. It should be obvious that if you invalidate the refresh_token you’re
still logged in but you won’t be able to refresh anymore, which means that once the token expires you need to redirect
the user again to the login page.

Introspect

Introspect a token is similar to a expiration check, however one needs to note that this check is fully online. This
means that the check happens on the OAuth2 server.

user.introspect({ res ->
if (res.succeeded()) {
// the introspection call succeeded
} else {
// the token failed the introspection. You should proceed
// to logout the user since this means that this token is
// not valid anymore.
}
})

Important note is that even if the expired() call is true the return from the introspect call can still be an
error. This is because the OAuth2 might have received a request to invalidate the token or a loggout in between.

Logging out

Logging out is not a Oauth2 feature but it is present on OpenID Connect and most providers do support some sort
of logging out. This provider also covers this area if the configuration is enough to let it make the call. For the
user this is as simple as: